b'Federal Election Commission\n\n Office of Inspector General\n\n\n\n\n          Final Report\n\nInspection of FEC Compliance with\n   FMFIA/OMB Circular A-123\n\n           June 2014\n\n\n   Assignment No. OIG-14-01\n\x0c                 Office of Inspector General\xe2\x80\x99s\nInspection of FEC Compliance with FMFIA/OMB Circular A-123\n                      April 2014 Report\nThe overall objective for this Office of Inspector General (OIG) inspection was to review and assess\nthe Federal Election Commission\xe2\x80\x99s (FEC) compliance with the Federal Managers\xe2\x80\x99 Financial\nIntegrity Act (FMFIA) requirements, as prescribed by Office of Management and Budget (OMB)\nCircular A-123, and to provide management with recommendations to help strengthen this FEC\nfunction. The OIG conducted this inspection in accordance with the Council of the Inspectors\nGeneral on Integrity and Efficiency (CIGIE) Quality Standards for Inspections and Evaluations,\nJanuary 2011.\n\n                          Noteworthy Accomplishments\n   \xe2\x80\xa2   The Office of the Chief Financial Officer (OCFO) provides detailed guidance for the annual\n       internal control review process to assist program managers to assess and report on internal\n       controls.\n   \xe2\x80\xa2   Four (Public Disclosure, Office of Administrative Review, Reports Analysis Division, and\n       Office of Human Resources) of the 15 program offices reviewed are submitting internal\n       control review (ICR) reports that describe what was entailed in their annual assessments.\n       Program offices are not required to submit an ICR report. Therefore, completing an ICR\n       report demonstrates to the OIG that these offices understand the importance of effective\n       internal controls.\n\n                                       OIG Concerns\n   \xe2\x80\xa2   The OCFO\xe2\x80\x99s review procedures for the annual internal control review (ICR) process needs to\n       be enhanced to ensure standard operating procedures as outlined in Directive 53 (Internal\n       Control Program) are operating effectively and are in compliance with FMFIA and OMB\n       Circular A-123.\n   \xe2\x80\xa2   67% of program offices reviewed do not provide or maintain sufficient documentation to\n       evidence compliance with Directive 53.\n   \xe2\x80\xa2   As required, internal control weaknesses identified in OIG, independent reviews, and other\n       government oversight agencies reports are not consistently disclosed by all program offices.\n       This increases the risk that control weaknesses may not be properly reported.\n   \xe2\x80\xa2   There is not sufficient evidence to conclude whether a comprehensive risk assessment is\n       consistently performed for all program offices.\n\nMore detailed information related to the OIG Concerns can be found in the remainder of this report\n(see Executive Summary and Inspection Findings and Recommendations).\n\x0cOIG Inspection of FEC\xe2\x80\x99s Compliance with FMFIA/A-123\n\nTABLE OF CONTENTS                                                                               Page\n\n\nEXECUTIVE SUMMARY                                                                               3\n\n\nFINDINGS AND RECOMMENDATIONS                                                                    5\n\nI. Program Offices are not Complying with Directive                                             5\n\n        Recommendations                                                                         6\n\n        Management Comments                                                                     6\n\nII. Opportunity to Improve the Annual Risk Assessments                                          8\n\n        Recommendations                                                                         8\n\n        Management Comments                                                                     8\n\nIII. Review Procedures by OCFO Needs to be Enhanced                                             10\n\n        Recommendations                                                                         10\n\n        Management Comments                                                                     11\n\nConclusion                                                                                      12\n\n\nBACKGROUND                                                                                      13\n\n\nOBJECTIVES, SCOPE AND METHODOLOGY                                                               16\n\n\nAPPENDIX: MANAGEMENT RESPONSE TO THE A-123 INSPECTION REPORT\n\n\n\n\n_________________________________________________________________________________\nOffice of Inspector General\xe2\x80\x99s Inspection of the Federal Election Commission\xe2\x80\x99s Compliance with FMFIA/A-123\n2014 Report         2|Page\n\x0cExecutive Summary\nAt the Federal Election Commission (FEC), the Office of the Chief Financial Officer (OCFO) has\nbeen delegated operational responsibility for the FEC\xe2\x80\x99s internal control program. The requirement for\nfederal agencies to have adequate internal controls is mandated by the Federal Managers\xe2\x80\x99 Financial\nIntegrity Act (FMFIA) and the Office of Management and Budget\xe2\x80\x99s (OMB) Circular A-123 guidance.\nAccording to the FMFIA, \xe2\x80\x9c\xe2\x80\xa6management is responsible for establishing and maintaining internal\ncontrol to achieve the objectives of effective and efficient management operations, reliable financial\nreporting and compliance with applicable laws and regulations\xe2\x80\xa6\xe2\x80\x9d The FEC\xe2\x80\x99s implementation of\nFMFIA/OMB Circular A-123 requirements are contained in FEC Directive 53 (Implementation of\nOMB Circular A-123: Internal Control Program) which also describes the FEC\xe2\x80\x99s policies and\nstandard procedures for performing the annual internal control reviews (ICR) at the program office\nlevel. For more detailed explanation of regulations and guidance related to internal controls and\nFEC\xe2\x80\x99s compliance procedures, see the Background section (beginning on page 5) of this report.\n\nIn order to ensure internal controls are achieving the desired results, periodic assessments are\nnecessary. In fact, OMB Circular A-123 states \xe2\x80\x9c...Federal managers must take systematic and\nproactive measures to\xe2\x80\xa6 (ii) assess the adequacy of internal control in Federal programs and\noperations; [and] (iv) identify needed improvements.\xe2\x80\x9d\n\nAs part of the Office of Inspector General (OIG) fiscal year (FY) 2013 work plan, a review of FEC\xe2\x80\x99s\nprocesses for complying with FMFIA/A-123 was selected. The OIG\xe2\x80\x99s objective for this inspection\nwas to:\n   \xe2\x80\xa2 determine if the FEC is complying with the requirements of FMFIA and OMB Circular A-\n        123;\n   \xe2\x80\xa2 assess whether the FEC\'s ICR process is adequately designed and operating effectively; and\n   \xe2\x80\xa2 identify any process improvements (best practices), and provide management with\n        recommendations to help strengthen this FEC function.\n\nOverall, OIG concludes that the FEC is generally in compliance with FMFIA/OMB A-123 annual\ninternal control assessment requirements. However, we have identified the following issues and\nprocess improvement opportunities related to the annual ICR process:\n\n1. Program managers are not maintaining nor providing to the OCFO sufficient documentation to\n   evidence that ICRs were properly conducted and in compliance with FEC internal control policies\n   and procedures as outlined in Directive 53.\n2. There is an opportunity for the FEC to improve the risk assessment process. Currently, the\n   standard control questionnaire (the Vulnerability Assessment Checklist) only captures general\n   control risk. Therefore, all risk associated with a particular program/process is not specifically\n   addressed.\n3. We believe that OCFO\xe2\x80\x99s review procedures for the ICR process should be enhanced to ensure the\n   assessments by program offices are in compliance with Directive 53 and that the FEC is adhering\n   to FMFIA/OMB Circular A-123 requirements.\n\n\n_________________________________________________________________________________\nOffice of Inspector General\xe2\x80\x99s Inspection of the Federal Election Commission\xe2\x80\x99s Compliance with FMFIA/A-123\n2014 Report         3|Page\n\x0cOIG notes that OMB is in the process of revising the A-123 guidance. The proposed changes to the\nA-123 guidance are documented in the Government Accountability Office\xe2\x80\x99s (GAO) 2013 Green\nBook Exposure Draft 1 which was published in September 2013. The final version of the updated\nOMB Circular A-123 is expected to be released by the end of calendar year 2014. OIG reviewed the\nGreen Book Exposure Draft and we do not anticipate any major changes to the internal control\nstandards as they relate to the FEC. The revised guidance introduces 17 internal control principles\nalong with related attributes that clarify what is required for an effective internal control system.\nBased on these new principles, OIG believes that the FEC will need to improve its current internal\ncontrol structure to include policies and procedures for identifying, documenting, and monitoring\ninternal controls. The recommendations included in this report are provided to help management\nimprove their current processes and assist with planning for implementing the new internal control\nguidance. The recommendations should be incorporated into revised policies and procedures for the\nICR process.\n\n\n\n\n1\n GAO is required to issue standards for internal control in government. These standards, known as the Standards for\nInternal Control in the Federal Government (Green Book), provide the overall framework for establishing and\nmaintaining an effective internal control system. For more information, see the 2013 Exposure Draft, GAO-13-830SP.\n_________________________________________________________________________________\nOffice of Inspector General\xe2\x80\x99s Inspection of the Federal Election Commission\xe2\x80\x99s Compliance with FMFIA/A-123\n2014 Report         4|Page\n\x0cInspection Findings & Recommendations\n  I.    Program Offices are not Complying with Directive 53\n\n        A. Based on testing performed, OIG determined the following:\n           \xe2\x80\xa2 10 of 15 program offices reviewed did not submit any                All program managers are\n              detailed information in fiscal years 2012 and/or 2013 to           not providing sufficient\n              formally document the program(s) reviewed and the                  information to support the\n              procedures performed during the annual internal control            annual internal control\n              review process. Therefore, the OIG concludes that 67%              review.\n              (10 of 15) of program offices are not properly\n              documenting their annual internal control reviews.\n\n            \xe2\x80\xa2   3 of 5 program managers interviewed for this inspection do not prepare any supporting\n                documentation to evidence steps completed during the annual review process.\n\n            According to OMB Circular A-123 (A-123), \xe2\x80\x9c\xe2\x80\xa6Documentation should be appropriately\n            detailed and organized and contain sufficient information to support management\xe2\x80\x99s\n            assertions...\xe2\x80\x9d\n\n            According to Directive 53, \xe2\x80\x9c\xe2\x80\xa6documentation of final reviews and summaries should\n            reside with the OCFO whereas detailed backup should stay with program offices. The\n            documentation should be maintained for a period of at least two years for record-keeping\n            purposes.\xe2\x80\x9d\n\n            Failure to properly document the ICR process increases the risk that an adequate review\n            was not performed. In addition, the lack of evidence to support the risk assessments may\n            reduce the reliability of the assurance certification made by program offices on the\n            effectiveness of internal controls to prevent and detect waste, fraud, abuse, and misuse.\n\n        B. Two program offices did not disclose in their ICR package unrectified internal control\n           weaknesses reported in prior OIG and independent contractors\xe2\x80\x99 reports as follows:\n\n            \xe2\x80\xa2   Neither the Office of the General Counsel (OGC)\n                nor the Office of the Chief Information Officer (co-         Co-privacy program\n                program offices for privacy) disclosed control issues        managers did not\n                reported in the OIG Privacy Follow-up Audit in their         disclose control issues\n                FY 2012 and FY 2013 ICR package. Based on a                  reported by OIG in their\n                discussion with one of the program managers, he              ICR package.\n                didn\xe2\x80\x99t think the related issues needed to be included\n                in OGC\xe2\x80\x99s ICR package.\n\n            \xe2\x80\xa2\n            Office of the Chief Information Officer\xe2\x80\x99s (OCIO) ICR package did not disclose the\n            information technology security internal control weaknesses from the FEC\xe2\x80\x99s annual\n            financial statement audits in the FY 2012 or FY 2013 assurance letters.\n_________________________________________________________________________________\nOffice of Inspector General\xe2\x80\x99s Inspection of the Federal Election Commission\xe2\x80\x99s Compliance with FMFIA/A-123\n2014 Report         5|Page\n\x0c                Also, OCIO did not disclose data breaches and other control weaknesses from other\n                audit reports (i.e. Inspection of the FEC\xe2\x80\x99s Disaster Recovery Plan and Continuity of\n                Operations Plans) in the FY 2012 and FY 2013 assurance letters. When OIG\n                followed-up with the Deputy CIO to determine the reasons the internal control\n                weaknesses were not included in the OCIO\xe2\x80\x99s assurance letters, the Deputy CIO stated\n                that he didn\xe2\x80\x99t think it was necessary to include the control issues and corrective\n                actions in the ICR packages because the details were already documented in the\n                applicable reports\xe2\x80\x99 corrective action plans (CAP). While OIG recognizes that program\n                offices have limited resources and thus may strive to prevent duplicating work, it can\n                not come at the expense of not complying with FEC policies and procedures or\n                implementing federal regulations and guidance, and therefore the internal control\n                weaknesses should have been included in the OCIO\xe2\x80\x99s ICR package.\n\n            According to Directive 53, \xe2\x80\x9c\xe2\x80\xa6The program managers will evaluate all internal control\n            processes on an ongoing basis,\xe2\x80\xa6and report all findings and corrective actions taken in\n            their annual report\xe2\x80\xa6Problems or weaknesses requiring immediate corrective action will\n            be included in the program managers\xe2\x80\x99 annual internal control reports as part of their\n            letters of assurance\xe2\x80\xa6\xe2\x80\x9d\n\n            In addition, OIG notes that according to FMFIA\n            reporting requirements and Directive 53, all control       Per FMFIA, all control\n            issues should be reported internally and material          issues should be reported\n            control weaknesses along with corrective actions           internally and material\n            taken are required to be included in the agency\xe2\x80\x99s          control weaknesses must be\n            annual assurance letter. Failure to disclose or            included in the agency\xe2\x80\x99s\n            include the referenced documents that list all             annual assurance letter.\n            internal control issues in the annual ICR package\n            compromises the accuracy of the internal control assessments at the program office level.\n            In addition, if aggregate control issues that constitute a material control weakness are not\n            identified and thus not disclosed as such in the agency\xe2\x80\x99s assurance letter to the President,\n            this could have an adverse effect on the agency\xe2\x80\x99s compliance with the law.\n\n        Recommendations\n        1. The Office of the Chief Financial Officer (OCFO) should ensure sufficient information is\n           included in the internal control review (ICR) packages submitted by program offices by\n           making the ICR report mandatory.\n\n                Management Response:\n                OCFO Management partially agrees with recommendation number one.\n\n                The OCFO agrees with the OIG\xe2\x80\x99s conclusion that \xe2\x80\x9cthe FEC is generally in compliance\n                with FMFIA/OMB A-123 annual internal control assessment requirements.\xe2\x80\x9d Under\n                the guidance of Directive 53, the Commission delegated the responsibility to program\n                managers to exercise professional judgment and assess the internal controls for their\n                areas. The program managers complied with the guidance.\n\n_________________________________________________________________________________\nOffice of Inspector General\xe2\x80\x99s Inspection of the Federal Election Commission\xe2\x80\x99s Compliance with FMFIA/A-123\n2014 Report         6|Page\n\x0c                While the OCFO does not agree with the recommendation to make the ICR Report\n                mandatory, the OCFO does agree to enhance its guidance and documentation as\n                appropriate. Specifically, program managers will be reminded that sufficient\n                documentation must be maintained to support that internal controls were properly\n                reviewed. The OCFO\xe2\x80\x99s guidance for the Internal Control Review process will include\n                a comparison of OIG findings to the feedback received from the program managers. If\n                discrepancies are noted, the OCFO will discuss the matter with the appropriate\n                managers to determine the status of the findings and the implications for the internal\n                control of that program. The outcome of this process will be documented.\n\n                OIG Comment:\n                The OIG believes that making the ICR report mandatory is a best practice and should\n                be considered by Management. In addition, summarizing and standardizing all the\n                information required to support the ICR process into one document (the ICR report)\n                would be more efficient. However, the corrective actions planned by Management\n                should address this recommendation. OIG looks forward to reviewing the controls to\n                be implemented to ensure that sufficient information is provided by management to\n                support the assurance given.\n\n        2. As a best practice, the ICR Report should be standardized to include the following\n           information:\n           o List of all programs/processes applicable and unique to the office/division;\n           o Brief description of each program\'s key controls with reference to pertinent\n               policies/standard operating procedures;\n           o Summary of the annual internal control review including any specific programs that\n               were assessed;\n           o Results and conclusion(s) of the review(s) including any internal control issues\n               identified along with corrective actions planned/implemented (NOTE: If there is an\n               applicable corrective action plan that addresses the corrective actions related to control\n               issues/weaknesses included, then the ICR report only needs to reference the CAP);\n               and\n           o Summary of control issues reported by OIG, other regulatory bodies, and/or\n               independent reviews along with reference to any CAP(s).\n\n                Management Response:\n                OCFO Management partially agrees with recommendation number two. See response\n                to recommendation number one above.\n\n                OIG Comment:\n                See comment to Management response to recommendation number one.\n\n\n\n\n_________________________________________________________________________________\nOffice of Inspector General\xe2\x80\x99s Inspection of the Federal Election Commission\xe2\x80\x99s Compliance with FMFIA/A-123\n2014 Report         7|Page\n\x0c II.    Opportunity to Improve the Annual Risk Assessments\n\n        The standard questions included in the Vulnerability Assessment Checklist (VAC) only\n        capture and rate general risk related to any FEC program offices.\n                                                                                 The VAC does not\n        However, the VAC does not capture potential risk unique to a\n                                                                                 capture potential\n        particular FEC program (which is known as \xe2\x80\x9cinherent risk\xe2\x80\x9d). In           risk unique to each\n        addition, as most program offices are not providing or maintaining       program office.\n        supporting documentation to describe the risk assessments\n        performed, OIG is unable to confirm if the annual risk assessments\n        conducted are adequate to substantiate the level of assurance required by Directive 53 and the\n        FMFIA. The risk assessments at the program level would be more effective if specific control\n        objectives and related inherent risks were identified, evaluated, and documented.\n\n        According to A-123, \xe2\x80\x9c\xe2\x80\xa6The agency head must describe the analytical basis for the type of\n        assurance being provided, and the extent to which agency activities were assessed\xe2\x80\xa6;\xe2\x80\x9d and\n        according to Directive 53, \xe2\x80\x9cEach program manager must evaluate risks associated with his\n        or her program.\xe2\x80\x9d\n\n        OIG notes that all current program managers have not been\n                                                                                  All program\n        trained on the ICR process and how to conduct a risk assessment,\n                                                                                  managers have not\n        and may not understand what level of detail/information that\n                                                                                  been trained on the\n        should be documented. Maintaining sufficient documentation is\n                                                                                  ICR process.\n        necessary to evidence compliance with the risk assessment\n        process and to support the level of assurance given for each\n        program.\n\n        Recommendations\n        3. Once the new A-123 guidance is finalized, OCFO should revise the Vulnerability\n           Assessment Checklist (VAC) to ensure it is aligned with the updated control objectives\n           and their related principles and attributes.\n\n            Management Response:\n            Management agrees with recommendation number three. The OCFO agrees that the VAC\n            will be addressed once the new A-123 is issued. For comparative purposes, however, a\n            VAC should be general enough to cover all the common elements of all the program\n            offices.\n\n            OIG Comment:\n            The OIG looks forward to reviewing Management\xe2\x80\x99s corrective action plan to ensure it\n            fully addresses this recommendation.\n\n        4. OCFO should require any item marked as high risk on the VAC is explained in the\n           respective program office\xe2\x80\x99s ICR Report.\n\n\n\n\n_________________________________________________________________________________\nOffice of Inspector General\xe2\x80\x99s Inspection of the Federal Election Commission\xe2\x80\x99s Compliance with FMFIA/A-123\n2014 Report         8|Page\n\x0c                Management Response:\n                OCFO Management partially agrees with recommendation number four. The OCFO\n                does not plan to make the ICR Report mandatory (see Management Response to\n                recommendation number one). However, the VAC will be supplemented to identify\n                top risk factors and the impact if that risk is not mitigated. In the past few years, the\n                OCFO has queried program managers about all the VAC items marked as high. As\n                stated above, however, Directive 53 assigns program managers the responsibility to\n                exercise their professional judgment in preparing their ICR reports if deemed\n                necessary. As previously discussed with the OIG in December 2013 and January\n                2014, OCFO Management would like to wait until a new A-123 is released to review\n                and update the annual ICR process.\n\n                OIG Comment:\n                The OIG believes that summarizing all supplemental information required to support\n                the ICR process should be consolidated into one document (the ICR report). Creating\n                a standard ICR report template would streamline the ICR process and would improve\n                the efficiency of OCFO\xe2\x80\x99s review of all program offices ICR packages. OIG looks\n                forward to reviewing OCFO Management\xe2\x80\x99s corrective action plan to ensure that it\n                fully addresses this recommendation.\n\n        5. As a best practice, program managers with the assistance of OCFO, should be trained on\n           how to conduct an inherent risk assessment for all mission critical programs. Going\n           forward, these inherent risk assessments should be reviewed annually as part of the ICR\n           process.\n\n                Management Response:\n                OCFO Management partially agrees with recommendation number five. When the\n                revised GAO Green Book and the updated version of A-123 are available, the OCFO\n                will address the FEC\xe2\x80\x99s Internal Control guidance and provide a training to appropriate\n                program managers. The OCFO is unclear about the relationship between \xe2\x80\x98potential\n                risk unique to a particular FEC program\xe2\x80\x99 and \xe2\x80\x98inherent risk\xe2\x80\x99 as mentioned in the IG\xe2\x80\x99s\n                recommendation number five above. Internally, the OCFO has its own determination\n                of \xe2\x80\x98inherent risk assessment\xe2\x80\x99 that is different from the risk assessment for the annual\n                ICR process.\n\n                OIG Comment:\n                For the purpose of the readers of this report, \xe2\x80\x9cpotential risk unique to a particular FEC\n                program\xe2\x80\x9d was meant to explain the term \xe2\x80\x9cinherent risk\xe2\x80\x9d and thus used\n                interchangeably. The OIG looks forward to reviewing corrective actions planned by\n                Management to ensure that it fully addresses this recommendation.\n\n\n\n\n_________________________________________________________________________________\nOffice of Inspector General\xe2\x80\x99s Inspection of the Federal Election Commission\xe2\x80\x99s Compliance with FMFIA/A-123\n2014 Report         9|Page\n\x0cIII.    Review Procedures by OCFO Needs to be Enhanced\n\n        Based on the OIG\xe2\x80\x99s review of FEC\xe2\x80\x99s ICR process and\n        procedures, we believe that the OCFO is performing some               OCFO is not\n        review procedures for the ICR process. However, the OCFO              obtaining sufficient\n        review process is not an effective monitoring control to              information to\n        ensure that program managers are providing complete and               perform adequate\n        accurate information to substantiate the assurance given.             review procedures.\n        OIG concludes that this is mainly because program offices\n        do not provide sufficient documentation to OCFO on the\n        results of the program offices\xe2\x80\x99 reviews.\n\n        According to Directive 53:\xe2\x80\x9c\xe2\x80\xa6the Commission delegates operational responsibility for the\n        FEC\xe2\x80\x99s internal control program to the CFO\xe2\x80\xa6\xe2\x80\x9d\n\n        While OIG does agree that OCFO is not directly responsible for the internal control reviews\n        of each program office, and that OCFO must rely on the\n        results of the assessments made at the program level,           Adequate review\n        adequate review procedures are necessary to ensure all          procedures are necessary\n        internal control issues are properly identified and evaluated   to ensure all control\n        for the agency\xe2\x80\x99s annual assurance certification. In addition,   issues are properly\n        the OIG also notes that the review procedures under the         identified and evaluated.\n        current internal control standards are expected to be\n        expanded as oversight is one of the main internal control\n        principles that will be added to the revised GAO Green Book.\n\n        According to the Standards for Internal Control in the Federal Government: 2013 Exposure\n        Draft:\n               \xe2\x80\x9c\xe2\x80\xa6The oversight body oversees management\xe2\x80\x99s design, implementation, and operation\n               of the entity\xe2\x80\x99s internal control system. The oversight body\xe2\x80\x99s responsibilities for the\n               entity\xe2\x80\x99s internal control system include:\n               \xe2\x80\xa6Monitoring - Scrutinize the nature and scope of management\xe2\x80\x99s monitoring activities\n               as well as management\xe2\x80\x99s evaluation and remediation of identified deficiencies...\xe2\x80\x9d\n\n        Failure to report known internal control weaknesses increases the risk that the agency will not\n        be in compliance with applicable laws, regulations, and guidance.\n\n        Recommendations\n        6. The OCFO should improve their review process by paying special attention to the\n           methodologies for the risk ratings and explanations of control issues for reasonableness,\n           and to ensure all internal control issues are properly reported and potential material\n           control weaknesses are identified.\n\n                Management Response:\n                OCFO Management partially agrees with recommendation number six.\n\n_________________________________________________________________________________\nOffice of Inspector General\xe2\x80\x99s Inspection of the Federal Election Commission\xe2\x80\x99s Compliance with FMFIA/A-123\n2014 Report         10 | P a g e\n\x0c                With only operational responsibility delegated by Directive 53 to CFO, the OCFO will\n                consider the OIG concerns when preparing the annual internal control guidance for\n                Fiscal Year 2014. Please see the management responses above for what the OCFO\n                plans to do in this regard.\n\n                OIG Comment:\n                The OIG looks forward to reviewing corrective actions planned by Management to\n                ensure that it fully addresses this recommendation. OIG also notes that given the fact\n                that OCFO has been delegated operational responsibility for implementing the FEC\xe2\x80\x99s\n                internal control program, and the CFO Report includes a recommendation whether the\n                Commission can \xe2\x80\x9cprovide reasonable assurance that the FEC\xe2\x80\x99s internal controls are\n                adequate and operating effectively\xe2\x80\x9d, gives the OCFO implied responsibility to ensure that\n                (1). The ICR process is being complied with; and (2). Assessments by program offices\n                are sufficient and reasonable.\n\n        7. After the new A-123 guidance is finalized and implemented by OCFO, OCFO should\n           conduct agency-wide training on the ICR process for all program offices and designated\n           program managers.\n\n                Management Response:\n                OCFO Management agrees with recommendation number seven. When the revised\n                GAO Green Book (Green Book) and the updated version of OMB\xe2\x80\x99s Circular A-123\n                (A-123) guidance are available, the OCFO expects to address the FEC\xe2\x80\x99s Internal\n                Control guidance and provide a training to appropriate program managers.\n\n                OIG Comment:\n                The OIG looks forward to reviewing corrective actions planned by Management to\n                ensure that it fully addresses this recommendation.\n\n        8. Going forward, OCFO should require any new designated program managers to be\n           identified at the start of the agency-wide A-123 review process, and OCFO should ensure\n           that all new program managers are trained on the ICR process before conducting their first\n           review.\n\n                Management Response:\n                OCFO Management agrees with recommendation number eight. See Management\n                response to recommendation number seven above.\n\n                OIG Comment:\n                OIG believes management\xe2\x80\x99s corrective action plan may not be adequate to address this\n                recommendation. Once the initial training on the new guidance is conducted, a control\n                will need to be put in place to ensure any new program managers designated after the\n                initial training is conducted is identified and trained before they are required to\n                perform an internal control review. The OIG looks forward to reviewing corrective\n                actions planned by Management to ensure that it fully addresses this recommendation.\n\n_________________________________________________________________________________\nOffice of Inspector General\xe2\x80\x99s Inspection of the Federal Election Commission\xe2\x80\x99s Compliance with FMFIA/A-123\n2014 Report         11 | P a g e\n\x0cConclusion\n\nOIG concludes that while the FEC is generally complying with the FMFIA/A-123 requirements, the\nsupporting documentation maintained and provided to the OCFO by program offices is not always\nsufficient to evidence compliance with A-123 guidance. However, we believe there is an opportunity\nto strengthen the annual risk assessment process. For example, all potential risk associated with a\nparticular program/office should be identified and assessed to determine if existing internal controls\nare sufficient to mitigate the risk to an acceptable level. By improving the annual risk assessment\nprocess, implementing additional monitoring controls, and providing training to program managers,\nthe FEC will have a more effective and robust assessment process and thus a stronger overall control\nenvironment.\n\n\n\n\n_________________________________________________________________________________\nOffice of Inspector General\xe2\x80\x99s Inspection of the Federal Election Commission\xe2\x80\x99s Compliance with FMFIA/A-123\n2014 Report         12 | P a g e\n\x0cBackground\nThe overarching legislation regarding internal controls in federal agencies is the Federal Managers\xe2\x80\x99\nFinancial Integrity Act of 1982 (FMFIA) as codified in 31 U.S.C. 3512.\n\nAccording to the FMFIA:\n\n        \xe2\x80\x9cManagement is responsible for establishing and maintaining internal control to achieve the\n        objectives of effective and efficient management operations, reliable financial reporting and\n        compliance with applicable laws and regulations."\n\nThe Office of Management and Budget (OMB) issued guidance for implementing the requirements of\nthe FMFIA through OMB Circular A-123. In December 2004 OMB Circular A-123 (\xe2\x80\x9cA-123\xe2\x80\x9d) was\nrevised and consolidated other regulations applicable to internal controls into one document to\ninclude the Federal Financial Management Improvement Act of 1996 (FFMIA, formerly OMB\nCircular A-127), and the Improper Payments Elimination and Recovery Act of 2010 (IPERA).\n\nAccording to A-123:\n\n        \xe2\x80\x9cInternal control comprises the plans, methods, policies, and procedures used to fulfill the\n        mission, strategic plan, goals, and objectives of the organization. Internal control serves as\n        the first line of defense in safeguarding assets and preventing and detecting errors and\n        fraud...\xe2\x80\x9d\n\nCircular A-123 requires federal agencies to:\n\n    \xe2\x80\xa2   annually assess whether the internal controls in federal programs and operations are in\n        compliance with FMFIA;\n    \xe2\x80\xa2   identify control weaknesses along with corresponding corrective actions;\n    \xe2\x80\xa2   provide annual management assurance statements;\n    \xe2\x80\xa2   plan, document, and test internal controls over financial reporting (as defined in Appendix A);\n    \xe2\x80\xa2   annually assess controls over charge card programs (as defined in Appendix B);\n    \xe2\x80\xa2   annually assess improper payments (as defined in Appendix C);\n    \xe2\x80\xa2   establish and annually report on the recovery audit program according to IPERA (as defined\n        in Appendix C); and\n    \xe2\x80\xa2   annually assess and test controls over financial systems (as defined in Appendix D).\n\nThe Federal Election Commission (FEC) is exempt from the requirement in Appendix A to document\nand annually test internal controls over financial reporting since the FEC is not a Chief Financial\nOfficers Act agency. However, the FEC is required to perform an annual assessment of internal\ncontrols and provide an assurance letter that certifies the agency\xe2\x80\x99s internal controls can reasonably be\nrelied on to prevent and detect waste, fraud, and abuse.\n\nThe FEC updated and adopted Directive 53 (effective as of December 15, 2010) to document the\nFEC\xe2\x80\x99s policies and standard procedures for implementing an internal control program that complies\n_________________________________________________________________________________\nOffice of Inspector General\xe2\x80\x99s Inspection of the Federal Election Commission\xe2\x80\x99s Compliance with FMFIA/A-123\n2014 Report         13 | P a g e\n\x0cwith FMFIA/A-123. Through Directive 53, the Commission has delegated operational responsibility\nfor the FEC\xe2\x80\x99s internal control program to the Chief Financial Officer (CFO). Directive 53 also gives\ndetailed guidance on how program offices should conduct risk assessments. A risk assessment is a\nprocess whereby all potential risk associated with a particular program or activity is identified and\nevaluated to determine if adequate internal controls are in place and operating effectively to mitigate\nthe risk or reduce the risk to an acceptable level. Risks are not limited to potential fraud, waste, and\nabuse; but also include, failure to achieve the agency\xe2\x80\x99s mission, comply with laws, regulations,\nguidance, and/or reputational harm to the agency.\n\nFEC\xe2\x80\x99s annual internal control review (ICR) process normally takes place in August and covers the\ncurrent fiscal year which ends on September 30 of the same year. Currently, there are 16 FEC\nprogram offices (including the Office of Inspector General) that perform individual ICRs. Each\nprogram office designates a program manager who is responsible for the internal control program for\ntheir respective office or division.\n\nThe program managers are instructed to review applicable programs/processes, conduct a risk\nassessment of their respective programs/processes, document the results of the assessments, and\nidentify any control weaknesses along with recommended corrective action plan(s). In addition, the\nprogram managers have to complete the Vulnerability Assessment Checklist (VAC) which requires\nthe program managers to rate general internal control questions. For example, one of the questions in\nthe VAC asks the offices/divisions whether clear and concise operating procedures are in place.\n\nBased on the results of the ICR, the program managers must provide a statement of assurance on\nwhether they can give \xe2\x80\x9creasonable assurance that the government funds or assets under their\nrespective programs are adequately safeguard from potential waste, fraud, abuse, or misuse.\xe2\x80\x9d The\nstatement of assurance is provided in the form of a letter and the assurance letters must be signed by\nthe applicable division/office head. The program managers have an option to document the results of\ntheir review in a separate ICR Report. Otherwise, the required information must be incorporated in\nthe VAC and/or assurance letter.\n\nThe complete ICR package is forwarded to the OCFO. The ICR package consists of the following.\n\n    1.   Assurance Letter\n    2.   ICR Report (optional)\n    3.   Vulnerability Assessment Checklist\n    4.   List of Policies and Procedures for the office/division\n\nThe ICR documents serve as the basis for forming an agency-wide statement of assurance. The\nOCFO reviews all the ICR packages for completeness and to identify any changes/fluctuations to\ninternal control risk levels from the prior year. Any major changes are followed-up with the\nappropriate program manager to determine the reason for the changes. The OCFO prepares an\nagency-wide internal control report (CFO Report) that consolidates and summarizes the results of all\nthe program offices ICR packages and submits the report to the Commission. The CFO Report also\nincludes a recommendation by the CFO as to whether the Commission can rely on the FEC\xe2\x80\x99s internal\ncontrols and should give reasonable assure to prevent fraud, waste, and abuse.\n\n_________________________________________________________________________________\nOffice of Inspector General\xe2\x80\x99s Inspection of the Federal Election Commission\xe2\x80\x99s Compliance with FMFIA/A-123\n2014 Report         14 | P a g e\n\x0cBased on this report, the Chair, on behalf of the Commission, will sign the formal Assurance\nStatement on Internal Control. A separate assurance letter is mailed to the President of the United\nStates and is also included in the annual Performance and Accountability Report (PAR).\n\nOIG notes that OMB is in the process of revising the A-123 guidance. The preliminary changes to the\nA-123 guidance are documented in the Government Accountability Office\xe2\x80\x99s (GAO) exposure draft,\nStandards for Internal Control in the Federal Government: 2013 Exposure Draft, GAO-13-830SP\n(\xe2\x80\x9cThe Green Book Exposure Draft\xe2\x80\x9d) which was published in September 2013. A-123 guidance is\nbeing revised to incorporate key concepts from the 2013 Committee of Sponsoring Organizations of\nthe Treadway Commission (COSO) 2 internal control integrated framework for the government\nenvironment. Per OIG review of \xe2\x80\x9cThe Green Book Exposure Draft\xe2\x80\x9d, we conclude that there are no\nconceptual changes to the standards on internal controls. The new guidance will introduce 17\nprinciples along with detailed explanations (referred to as attributes) that clarify what is required for\nan agency\xe2\x80\x99s internal control program to be considered effective. The updated version of OMB\nCircular A-123 is expected to be released in the later part of calendar year 2014.\n\n\n\n\n2\n COSO is a national private sector organization dedicated to improving the quality of financial reporting through\nbusiness ethics, effective internal controls, and corporate governance and is recognized as a thought leader in the global\nmarketplace on the development of guidance in the areas of risk and controls. See COSO Internal Control - Integrated\nFramework (May 2013)\n_________________________________________________________________________________\nOffice of Inspector General\xe2\x80\x99s Inspection of the Federal Election Commission\xe2\x80\x99s Compliance with FMFIA/A-123\n2014 Report         15 | P a g e\n\x0cOBJECTIVES, SCOPE AND METHODOLOGY\nObjectives\nThe OIG\xe2\x80\x99s objective for this inspection was to determine if the FEC is complying with the\nrequirements of FMFIA and OMB Circular A-123, to assess whether the FEC\'s annual internal\ncontrol review process is adequate, and provide management with recommendations to help\nstrengthen this FEC function.\n\nScope\nThe scope of the inspection included review of FEC\xe2\x80\x99s FMFIA and A-123 compliance procedures\nperformed during FYs 2012 and 2013.\n\nMethodology \xe2\x80\x93 The OIG conducted the following inspection steps:\n\xe2\x80\xa2 The OIG reviewed FEC\xe2\x80\x99s policies and procedures for compliance with FMFIA and OMB A-123\n  requirements to ensure adequate management processes and controls are in place.\n\n\xe2\x80\xa2   Researched regulations and guidance related to internal controls including FMFIA, and OMB\n    Circular A-123.\n\n\xe2\x80\xa2   Reviewed GAO\xe2\x80\x99s exposure draft (Green Book) of new A-123 guidance expected to be issued in\n    the latter part of calendar year 2014 to determine if any major changes will be required for FEC.\n\n\xe2\x80\xa2   Interviewed the Acting Accounting Director to gain a better understating of the FEC\xe2\x80\x99s annual\n    internal control review process.\n\n\xe2\x80\xa2   Reviewed all 15 program offices\xe2\x80\x99 ICR packages submitted for FYs 2012 and 2013.\n\n\xe2\x80\xa2   Conducted interviews of five (5) program offices (Office of the Chief Information Officer, Office\n    of the General Counsel - Litigation, Office of Administrative Review, Reports Analysis Division,\n    and Administrative Services Division) to discuss their annual internal control review process, to\n    include:\n    o The steps included in the program offices\xe2\x80\x99 review process;\n    o The methodology for selecting programs to review;\n    o The resources/documents that are utilized during the assessment phase; and\n    o How the program office determines the team members to assist with the annual review\n        process.\n\n\n\n\n_________________________________________________________________________________\nOffice of Inspector General\xe2\x80\x99s Inspection of the Federal Election Commission\xe2\x80\x99s Compliance with FMFIA/A-123\n2014 Report         16 | P a g e\n\x0c                     THE FEDERAL ELECTION COMMISSION\n                     Washington, DC 20463\n\n\n\n Appendix: Management Response\n June 10, 2014\n\n\n MEMORANDUM\t\n\n TO:                 Lynne A. McFarland\n                     Inspector General\n\n FROM:               Judy Berning\n                     Acting Chief Financial Officer\n\n SUBJECT:            Responses to Office of Inspector General\xe2\x80\x99s Inspection of the Federal Election\n                     Commission\xe2\x80\x99s Compliance with FMFIA/A-123 2014 Report\n\n\n The Federal Election Commission (FEC) strives to maintain internal controls at a level sufficient to\n manage risk and provide program integrity while realizing that it\xe2\x80\x99s impossible to eliminate all risk and\n it is cost effective to accept a tolerable level of risk. OCFO Management appreciates the opportunity\n to comment on the Office of Inspector General\xe2\x80\x99s (OIG) draft report. While the OCFO would like to\n wait for an official release of GAO Green Book (Green Book) and revised OMB Circular A-123 (A-\n 123), the OCFO will consider the OIG concerns when preparing the annual internal control guidance\n for Fiscal Year 2014, wherever deemed appropriate.\n\n\n     Recommendations:\n\nI.      Program Offices are not Complying with Directive\n\n        OCFO Management partially agrees with recommendation number one and two.\n\n        The OCFO agrees with the OIG\xe2\x80\x99s conclusion that \xe2\x80\x9cthe FEC is generally in compliance with\n        FMFIA/OMB A-123 annual internal control assessment requirements.\xe2\x80\x9d\n\n        Under the guidance of Directive 53, the Commission delegated the responsibility to program\n        managers to exercise professional judgment and assess the internal controls for their areas. The\n        program managers complied with the guidance.\n\n        While the OCFO does not agree with the recommendation to make the Internal Control Review\n        (ICR) Report mandatory, the OCFO agrees to enhance its guidance and documentation as\n        appropriate. Specifically, program managers will be reminded that sufficient documentation must\n        be maintained to support that internal controls were properly reviewed. The OCFO\xe2\x80\x99s guidance for\n                                                                                                       1\n\x0c       the Internal Control Review process will include a comparison of OIG findings to the feedback\n       received from the program managers. If discrepancies are noted, the OCFO will discuss the\n       matter with the appropriate managers to determine the status of the findings and the implications\n       for the internal control of that program. The outcome of this process will be documented.\n\n II.   Opportunity to Improve the Annual Risk Assessments\n\n       OCFO Management agrees with recommendation number three. We agree that the Vulnerability\n       Assessment Checklist (VAC) should be updated once the new A-123 guidance is issued. For\n       comparative purposes, however, a VAC should be general enough to cover all the common\n       elements of all the program offices. The VAC will be supplemented to identify a top risk factor\n       and the impact if that risk is not mitigated.\n\n       OCFO Management partially agrees with recommendation number four. In the past few years, the\n       OCFO has queried program managers about all the VAC items marked as high. As stated above,\n       however, Directive 53 assigns program managers the responsibility to exercise their professional\n       judgment in preparing their ICR reports if deemed necessary.\n\n       OCFO Management partially agrees with recommendation number five. When the revised GAO\n       Green Book and the updated version of A-123 are available, the OCFO will address the FEC\xe2\x80\x99s\n       Internal Control guidance and provide a training to appropriate program managers. The OCFO is\n       unclear about the relationship between \xe2\x80\x98potential risk unique to a particular FEC program\xe2\x80\x99 and\n       \xe2\x80\x98inherent risk\xe2\x80\x99 as mentioned on Page 7 of the IG report. Internally, the OCFO has its own\n       determination of \xe2\x80\x98inherent risk assessment\xe2\x80\x99 that is different from the risk assessment for the\n       annual ICR process.\n\nIII.   Review Procedures by OCFO Needs to be Enhanced\n\n       OCFO Management partially agrees with recommendation number six. With only operational\n       responsibility delegated by Directive 53 to CFO, the OCFO will consider the OIG concerns when\n       preparing the annual internal control guidance for Fiscal Year 2014. Please see the management\n       responses above for what the OCFO plans to do in this regard.\n\n       OCFO Management agrees with recommendation number seven and eight. When the revised\n       GAO Green Book and the updated version A-123 guidance are available, the OCFO expects to\n       update the FEC\xe2\x80\x99s Internal Control guidance and provide a training to appropriate program\n       managers.\n\n       While it might be true to say the \xe2\x80\x98Green Book Exposure Draft\xe2\x80\x99 presents \xe2\x80\x98no conceptual changes to\n       the standards on internal controls\xe2\x80\x99, this ignores the significance of A-123 which offer guidance as\n       to how to implement the new COSO framework and the Green Book.\n\n       Last fall, the OMB collected forty-three suggestions from various agencies on how to update its\n       A-123 with the \xe2\x80\x98Green Book Exposure Draft.\xe2\x80\x99 Since the Green Book places a greater emphasis on\n       program operation, one of the most popular suggestions is to ask for guidance on how to\n       implement internal control assessment on program operations. One has to note that A-123 was\n       originally designed for financial audits.\n\n       Following the new COSO framework, the Green Book does emphasize the independence of the\n       oversight body. Based on information received from recent conferences hosted by GAO and\n                                                                                                        2\n\x0cOMB, however, it is still unclear how federal agencies may implement the concept of oversight\nbody.\n\nThe two examples above are used to illustrate that having implementation guidance from a new A-\n123 will indeed be helpful. As previously discussed with the OIG in December 2013 and January\n2014, therefore, OCFO Management would like to wait until a new A-123 is released to review\nand update the annual ICR process.\n\n\n\n\n                                                                                             3\n\x0c                         Federal Election Commission\n                           Office of Inspector General\n\n\n\n\n    Fraud Hotline\n    202-694-1015\n\n\n\n\n      or toll free at 1-800-424-9530 (press 0; then dial 1015)\n      Fax us at 202-501-8134 or e-mail us at oig@fec.gov\n      Visit or write to us at 999 E Street, N.W., Suite 940, Washington DC 20463\n\n\n\n\nIndividuals including FEC and FEC contractor employees are encouraged to alert the OIG to\nfraud, waste, abuse, and mismanagement of agency programs and operations. Individuals\nwho contact the OIG can remain anonymous. However, persons who report allegations are encouraged\nto provide their contact information in the event additional questions arise as the OIG evaluates the\nallegations. Allegations with limited details or merit may be held in abeyance until further specific details\nare reported or obtained. Pursuant to the Inspector General Act of 1978, as amended, the Inspector\nGeneral will not disclose the identity of an individual who provides information without the consent of that\nindividual, unless the Inspector General determines that such disclosure is unavoidable during the course\nof an investigation. To learn more about the OIG, visit our Website at: http://www.fec.gov/fecig/fecig.shtml\n\n                            Together we can make a difference.\n\x0c'